Ladar Levison, founder of encrypted email service Lavabit, discusses recent government action that led him to shut down his firm. When it was suspected that NSA whistleblower Edward Snowden used Lavabit’s email service, the FBI issued a National Security Letter ordering Levison to hand over SSL keys, jeopardizing the privacy of Lavabit’s 410,000 users. Levison discusses his inspiration for founding Lavabit and why he chose to suspend the service; how Lavabit was different from email services like Gmail; developments in his case and how the Fourth Amendment has come into play; and his involvement with the recently-formed Dark Mail Technical Alliance.

Download

Related Links

• Lavabit, Levison
• Dark Mail, Zimmerman, Callas, Janke, Levison
• Lawyers raise civil liberty concerns in Lavabit case, Salon
• Lawyers for Lavabit founder: judges may dismiss civil liberties concerns, The Guardian

No, I’m not here to tell you more about the “supersized” FTC. Berin has done yeoman’s work to highlight that issue, among other things with the PFF event you can review here. On TechDirt, Mike Masnick wrote this morning about how the feds are itching to regulate the Internet.

This is about the direct government invasions of privacy likely to occur if S. 3217 passes. On the Cato@Liberty blog I write about the detailed financial market research that new regulatory agencies would do—research aimed at you.

Example:

Section 1071(b) requires any deposit-taking financial institution to geo-code customer addresses and maintain records of deposits for at least three years. Think of the government having its own Google map of where you and your neighbors do your banking. The Bureau [of Consumer Financial Protection] may “use the data for any other purpose as permitted by law,” such as handing it off to other bureaus, like the Federal Bureau of Investigation.

“Washington, D.C. has determined that Washington, D.C. should manage the financial services industry. Your personal and private financial affairs will be managed there too.”

What would I say about my own writing but read the whole thing?

The website ProCon.org has a new debate online laying out the different perspectives about the question: “Do violent video games contribute to youth violence?” It includes citations for a wide variety of studies that come down on both sides of the question. Simply put, there’s a study for everyone out there. Do you want to find a study suggesting that there’s a strong correlation between violently-themed media and aggression? You can find plenty. Or do you want to hear that there’s no correlation between these things? Well, there’s plenty of studies suggesting that, too.

As someone who briefly flirted with a degree in psychology, I find this an interesting intellectual debate. But here’s the thing I can’t get away from — lab studies by psychology professors and students are not the real-world. I am consistently shocked and disappointed at the lack of scrutiny these studies receive when they are little more than artificial constructions of reality.

So, how can we determine whether watching depictions of violence will turn us all into killing machines, rapists, robbers, or just plain ol’ desensitized thugs? Well, how about looking at the real world! Whatever lab experiments might suggest, the evidence of a link between depictions of violence in media and the real-world equivalent just does not show up in the data. The FBI produces ongoing Crime in the United States reports that document violent crimes trends. Here’s what the data tells us about overall violent crime, forcible rape, and juvenile violent crime rates over the past two decades: They have all fallen. Perhaps most impressively, the juvenile crime rate has fallen an astonishing 36% since 1995 (and the juvenile murder rate has plummeted by 62%).

Now, let me be perfectly clear about something. When analyzing such things it is vitally important to recall one of the first rules of statistical analysis: correlation does not necessarily equal causation. This works in both directions. Even if an increase in real-world violence was closely tracking depictions of violence on television or in video games, it wouldn’t necessarily mean there is a connection. But it would also be wrong to state that, on its own, an inverse correlation (with the trends moving in opposite directions) meant that there was absolutely no connection between these things.

At the margin, I believe that some media can have negative impacts on some people. Certainly, in heavy enough doses, watching non-stop depictions of sex or violence probably would have some sort of negative effect on some people — loss of sleep, if nothing else. Perhaps more.

Then again, it is impossible to ignore the real-world evidence being so starkly at odds with the “monkey see, monkey do” theories bandied about by some researchers or regulatory proponents. At a minimum, the real-world evidence should at least call into question the “world-is-going-to-hell” sort of generalizations made by proponents of increased media regulation, who all too often make casual inferences about the relationship between media exposure and various social indicators. Such a causal relationship is even more dubious today since all Americans, especially youngsters, are surrounded by a much wider variety of media than ever before. Even though television viewing has gone down slightly in recent years, it has been due to the rise of other media substitutes that command the attention of children, including the Internet, cell phones and video games. Overall, therefore, it appears that children are “consuming” as much, if not more, media than ever before. One would think that if depictions of violence in media really were leading to increased aggression among youth it would start showing up in some of these indicators at some point. But that’s just not occurring. [If you’re interested, I’ve discussed all these issues at much greater detail here, here, here, here, and here.]

Another argument I often hear is: ‘Well, the numbers would be even better if not for media violence!’ But there’s just no way to prove that one way or the other. Would the juvenile crime rate be down 46% instead of the 36% decrease we’ve actually since 1995? I don’t know. Nobody can know. But I certainly hope that media critics and regulatory proponents aren’t so foolish as to suggest that the crime rate would drop to zero if we just forced everybody to watch “Mary Poppins” all day long.

Finally, let’s keep in mind that, whatever the evidence suggests, there are many other ways society can deal with objectionable media content without resorting to government censorship. There are plenty of excellent parental control tools and methods out there today which give individuals and families, all of which have different needs and values, the ability to craft their own “household media standard.” There are also ways to put pressure on media providers, distributors, and advertisers to self-regulate content, or better control when and where it appears.  And educational and media literacy strategies can help assimilate youth into a media-saturated culture. To me, that’s the best approach. If you accept the fact that media — including violently-themed media — has always been with us and is never going away, then you understand the importance of talking to kids about these things in an open, understanding, and loving fashion. We should be doing this in schools, at home, and throughout society.

In the meantime, don’t buy into the hype about artificial lab studies, regardless of what they say. The kids are alright.

Additional Reading:

• Video Games, Violence, & Social “Science”: Another Day, Another Fight
• Does TV Cause Violence Against Women? PTC’s “Women in Peril” Report
• Why hasn’t violent media turned us into a nation of killers?
• Are All Video Games Violent?
• Do video games create cop killers?
• Let’s Consider the Facts Before We Call In Government to Regulate Video Games
• review: Kutner & Olson’s “Grand Theft Childhood”
• review: Dr. Kourosh Dini’s “Video Game Play & Addiction”
• Jenkins on new Pew report about “Teens, Video Games, and Civics”

Last year, my PFF colleague Adam Thierer asked whether State AGs + NCMEC = The Net’s New Regulators? Adam noted that NCMEC, the National Center for Missing and Exploited Children, a private non-profit organization, was playing a law enforcement role in regulating child pornography—but without any clear mechanisms for ensuring its accountability and effectiveness. Adam’s point wasn’t just that transparency is a good thing, but that when it comes to a cause as important as protecting children from exploitation, it’s vital to ensuring that we’re that we’re actually doing a good job at it!

Yesterday, Emmanuel Lazaridis commented on that post:

Given the increasing regulatory and investigative powers of the NCMEC, it is no longer clear whether or not the [Freedom of Information Act] applies to NCMEC records. We are about to find out. I am right now bringing a case against the NCMEC in federal court for access to records under the FOIA and, failing that, for discovery under 28 U.S.C. § 1782(a).

Mr. Lazaridis’s complaint in the D.C. District Court claims that Lazaridis (a Greek national) has been unfairly deemed a fugitive from U.S. justice for having taken his daughter to Greece over the objections of the girl’s American mother, Lazaridis’s ex-wife. NCMEC got involved by placing the girl on their MissingKids.com registry of abducted children. Lazaridis wants the court to recognize his custody, deem him not to be a fugitive, and to order NCMEC to turn over all their records on the girl.

This is, of course, just one side of the story (and such cases are usually so complicated as to be indecipherable to outsiders). But even if Lazaridis’s case were wholly without merit, his basic argument would be a sound one: Why shouldn’t NCMEC, in exercising any of its essentially governmental functions, be subject to the same accountability requirements through FOIA as the FBI would be?

When the issue is the Lazaridis family’s trans-Atlantic custody battle, it may seem easy to ignore this question. But when NCMEC is essentially making policy regarding filtering Internet content, blacklisting websites, turning over user logs to law enforcement, or “cleaning up” Craigslist, the question of NCMEC’s accountability under FOIA cannot be avoided as a critical decision about the future of Internet governance.

On heels of Adam’s piece last year, controversialist Chris Soghoian suggested one answer: Given its status as a sacred cow, we cannot expect any politician pay heed to calls to overhaul NCMEC or subject it to oversight. However, what we can do, is call for the nationalization of the National Center for Missing and Exploited Children.

Think of it this way: We have a drug czar, a war czar, a copyright czar, and will likely have a cybersecurity czar and car czar under the next administration. Why not throw a child porn czar into the mix? Nationalize NCMEC, make all of its workers federal employees, with good health care and job security, and perhaps even expand its budget–after all, it does good work, right? NCMEC’s job is simply too important to be entrusted to a nonprofit group–such a task can only be performed by a fully trained and funded law enforcement agency (one, which conveniently enough, is subject to the Freedom of Information Act, congressional oversight, and constitutional requirements for due process.)

Despite my differences with Chris, he’s often right and may be here, too. He’s certainly right that Congress is unlikely to address the problem of NCMEC’s accountability given the sensitivity of the issue of child protection.

But, fortunately, we live in a republic, not a pure democracy: Our third branch of government, the courts, exists to enforce the rule of law; being somewhat insulated from political pressure, the courts provide a final check on the authority even of the almighty NCMEC. So while Chris’s nationalization proposal might well be the ideal solution, it hasn’t happened yet—nine months later to the day, and it’s probably not high on the Obama administration’s list of czarist reforms.

But simply by ordering NCMEC to comply with FOIA, the Lazaridis court could, with the stroke of a pen, bring accountability to NCMEC’s law enforcement functions. The legal question is simple: Does NCMEC qualify as an “agency,” which FOIA defines as an “authority of the Government of the United States?”

If so, NCMEC must not only respond to requests for certain of its “records,” but it must also follow a rule-making process akin to that required of federal agencies when they make policy decisions, offering the public appropriate notice and the opportunity to comment on proposed regulations—instead of, say, threatening Internet companies behind closed doors (sometimes the same companies that later make generous donations to NCMEC) or cutting deals with state attorneys general.

It turns out that this is not a new issue. Federal courts have had to decide whether a number of quasi-governmental entities qualify as “agencies” over the years, especially given the trend towards privatization over the last three decades. Some organizations, like the Smithsonian Institution, have decided to comply with FOIA even though courts have held that they’re not required to do so. NCMEC could have allayed all these concerns years ago by doing the same thing, but absent a change in management at the organization, it seems only a court order will force the organization to open its “black box” of decision-making to public inquiry.

In a number of other circumstances, courts have required nominally private organizations to comply with the federal FOIA or its state equivalents. A thorough (if dated) treatment of this issue can be found in the 1999 law review article, Privatization and the Freedom of Information Act: An Analysis of Public Access to Private Entities Under Federal Law by Craig Feiser, Florida’s deputy solicitor general and an adjunct at FSU Law. Feiser explains:

When Congress amended FOIA in 1974, it added section 552(f)(1) and broadened the definition of “agency” to include entities not explicitly mentioned under the APA, but which “perform governmental functions and control information of interest to the public.”

In deciding whether a private organization qualifies as an agency subject to FOIA, courts have considered two factors.

One factor asks whether the entity has substantial independent authority in performing a function of the government, making it the functional equivalent of the government. The other factor asks whether the government substantially controls the entity’s day-to-day operations or organizational framework. In using either factor, the court is essentially asking to what degree the entity is performing a government function. In one case, the government is pulling nearly all of the strings; in the other case, the entity is making decisions independently for the government.

Financially, NCMEC is largely a creature of government: 70% of NCMEC’s $42 million budget in 2007 came from the government. But as Feiser notes, funding does not always mean control. Government control over NCMEC’s internal decisions is unclear. Indeed, the very lack of government control over an organization essentially regulating the Internet and imposing criminal sanctions that could follow convicted “sex offenders” for life would by itself be an enormous problem.

But given what NCMEC actually does, it obviously qualifies as an “agency” subject to FOIA under the “functional equivalence factor,” which as Feiser explains,

basically represents the opposite situation from the control factor. Here, the entity is functioning independently, but making decisions for the government, as opposed to having its decisions made by the government. In effect, it is the functional equivalent of the federal government, and, therefore, it should be an “agency” under the FOIA.

I’ll be watching the Lazaridis case closely, hoping that the court sees NCMEC for what it is: a private organization tasked with implementing not just any government function, but the enforcement of laws against the most vulnerable victims in society. Absent such a recognition, NCMEC will continue to grow into an unaccountable regulator for the Internet.

Today, the only public oversight of NCMEC required by law is the requirement that NCMEC (like any non-profit with federal tax-exempt 501(c)(3) non-profit status) file a Form 990 each year disclosing basic information about its finances. That report does not list NCMEC’s donors, because donors have a First Amendment right to remain anonymous, but a more transparent organization would, like my own think tank, at least identify its major donors. The 2006 and 2007 Form 990s do reveal a few interesting things, though, about what NCMEC does with its budget (70% of which comes from the taxpayer):

• NCMEC’s CEO, Ernie Allen, was paid $359,191 plus $411,636 in benefits in 2006 (PDF p. 46) and $409,821 plus $426,540 in benefits in 2007 (PDF p. 19), for a total of $1.6 million in two years (roughly $800,000/year);
• Not counting Allen, NCMEC spent $778,564 on its top five highest-paid employees in 2006 ($155,713/employee), and $875,657 in 2007 ($175,131/employee) (PDF p. 10 in both);
• 31% of NCMEC’s 2006 revenues and 35% of its 2007 revenues went to salaries (PDF pp. 1 & 2 in both); and
• NCMEC had 104 employees paid over $50,000 in 2006 (PDF p. 10) and 116 in 2007 (PDF p. 10).

I’d be reluctant to suggest that anyone at NCMEC was more interested in money than in protecting children, but if given the choice, we’d all prefer to do well while doing good. So if Allen were smart, he’d realize that a court order subjecting NCMEC to FOIA might be the best of all possible worlds: Requiring real accountability would neutralize calls for nationalizing NCMEC, allowing the organization to continue operating as a non-profit that can pay quite a bit better than the Federal civil service. Even the Senior Executive Service, for agency heads, maxes out at a measly $177,000/year.

Of course, if NCMEC’s records and decisions to regulate the Internet were subject to FOIA, the organization might not be able to… “convince” the Internet companies it essentially regulates to write large checks to NCMEC. But even this tax-hating libertarian would be hard-pressed to argue against funding the enforcement of laws against child pornography, abduction and exploitation with taxpayer dollars.

As the grandson of an FBI agent, whose framed credentials hang in a place of pride in my office (stamped “RETIRED” after his 25 years of loyal service), I can’t help but wonder how many more agents the FBI could employ to combat child porn with an extra $1.6 million/year in funding (the salary of Allen and NCMEC’s top-five highest paid employees). It seems that FBI agents today make roughly $48,000-87,000/year. Let’s call it an average of $67,500 and throw in 20% for overhead. That works out to $81,000/year—or:

• 20 new agents for what NCMEC is paying its top six employees; or
• 368 new agents for the $29.82 million NCMEC received in government support in 2007.

I’m sure the solution is far more complicated than simply hiring more FBI agents, and that NCMEC does much good work in the service of a noble cause. But until NCMEC is either nationalized as a direct arm of law enforcement or made significantly more accountable as a private organization, we won’t really have any way of knowing whether the money being spent on NCMEC is being spent in the most effective manner possible to deal with the problems of child pornography, abduction and exploitation. We also won’t know whether draconian alternatives to direct enforcement ( e.g., hiring more FBI agents) like network-level filtering mandates are truly necessary, despite their unintended consequences for the free speech and privacy rights of law-abiding Internet users.

Over the past year, I have been monitoring a very interesting trend with important ramifications for the future of Internet policy. State Attorneys General (AGs) — often in league with the National Center for Missing and Exploited Children (NCMEC) — have been striking a variety of “voluntary” agreements with various Internet companies that deal with child safety concerns or other online issues. These agreements require the companies involved to take various steps to alter site architecture and functionality, commit to stop certain practices, or take steps to block certain users (ex: predators; escort services) or types of content (ex: child porn; online “discrimination”) altogether.

To begin, let me be very clear about one thing: Some of these activities or types of content warrant a law enforcement response. That is certainly the case with child pornography or predation, for example. However, as I will note down below, there is a legitimate question about whether state officials and a non-profit private organization should be crafting legal or regulatory policies to address such concerns for a global medium like the Internet. Regardless, these agreements are creating a new layer of Internet regulation (almost extra-legal in character) that is worthy of exploration.

First, let me itemize some of these recent “voluntary” agreements between Internet companies and the AGs and/or NCMEC:

• MySpace, Facebook & 49 state AGs: On January 14th, 2008, social networking website operator MySpace.com announced an agreement with 49 state Attorneys General (AGs) aimed at better protecting children online. As part their “Joint Statement on Key Principles of Social Networking Safety,” MySpace promised the AGs it would expand online safety tools, improve education efforts, and expand its cooperation with law enforcement. Facebook entered into a similar agreement with the AGs in May. These agreements came after AGs had relentlessly pushed these social networking sites for over a year to adopt age verification techniques to screen site users. Although mandatory age verification was not part of the final agreements, an Internet Safety Technical Task Force (ISTTF) was formed to study online safety tools, including a review of online identity authentication technology. It was clear when the announcements were made that the AGs were very interested in seeing online age verification pursued.
• Various ISPs and New York AG + NCMEC: In June 2008, New York Attorney General Andrew Cuomo pushed several major ISPs to enter into a Memorandum of Understanding (MOU) with NCMEC to address the dissemination of child pornography online.  Under the MOU, the ISPs must use a NCMEC-provided list of URLs supposedly containing child pornographic images to blacklist and block all access to those sites for their users. The agreement also closed off access to Usenet discussion boards on those ISP’s networks.
• Craigslist & California AG + NCMEC: In early November, Craigslist struck an agreement with 40 state AGs as well as NCMEC in which the online classifies operator agreed to take steps to root out certain sexually-themed or “erotic services” listings. See this Ars Technica article for additional details.
• eHarmony & New Jersey AG: Just this past week, the online dating service company eHarmony announced it had struck an agreement with the Attorney General of New Jersey to settle a complaint that a New Jersey resident filed with the state in 2005 alleging that eHarmony violated his rights by not offering a same-sex matching service. The agreement creates some interesting questions, as George Mason University law professor David Bernstein told the Wall Street Journal. The discrimination claim “seems like quite a stretch,” he said, and he said that he is worried it might encourage similar claims. “If you start a dating service for African Americans, do you need one for whites and Latinos? If you have one for Jews, do you need one for Christians and Muslims?” According to the Journal, eHarmony faces a similar discrimination claim in a California court, so we might get answers soon enough.

There are a number of interesting legal and practical questions raised by these agreements:

• “Voluntary” Agreements & the Law: Although typically billed as “voluntary” in nature, it seems highly unlikely that any of the companies involved would have made these concessions without  pressure from the state AGs (and sometimes NCMEC) to do so. How binding are these agreements in light of that? Of course, it is unlikely any of the companies involved would (or could) later challenge the validity or scope of these agreements after they had already signed onto them. But what if a free speech or civil liberties group challenged these agreements in court because of their impact on the Internet, online speech, or a certain group of citizens? Would they have a case? Would they even have standing? Where do they have it?
• Precedent & Applicability: Do such agreements constitute precedents that could be applied in other cases or contexts? Could parties not involved in the original agreements — either because they refused or did not yet exist — eventually be covered by them in some fashion? Do these agreements cover services available in the American but hosted entirely overseas?
• Commerce Clause Issues: Do state Attorneys General have the right to impose such quasi-regulatory regimes on an interstate medium like the Internet? Can 50 state AGs impose uniform laws on the Net without any congressional oversight, as was the case in the MySpace and Craigslist agreements? Conversely, what will the impact be of individual state AGs going their own way, as was the case with the eHarmony agreement? If Congress remains silent on the agreements but a group (ex: a civil liberties group) brings a dormant Commerce Clause case, what are their chances of prevailing in court?
• Accountability & Effectiveness: Will anyone in Congress or a federal agency oversee these agreements? How transparent are these agreements when they are brokered behind closed doors or with NCMEC? Does the Freedom of Information Act (FOIA) apply such that records and information can be made public?  What is the benchmark of success when different states adopt different legal regimes for the Net?

I’m not saying I have any good answers here; I’m just trying to get the questions on the table and get a discussion going. I would appreciate any input on the matter, especially of the legal variety. It strikes me that we are in somewhat uncharted waters here, at least for the Internet. On the other hand, I’m sure there have been state AG-related “voluntary” agreements struck in other industries and contexts in the past that might provide some insight into what, if anything, happens next.

What I find most interesting about these developments is that the state AGs appear to be gradually accomplishing what Congress has not been able to do over the past dozen years: To impose a comprehensive regulatory structure on the Internet. But that emerging regulatory structure is highly fractured and piecemeal in nature, and that troubles me. I am particularly concerned about the long-term impact of a 50-state patchwork approach to online regulation — both for speech and commerce. It’s not like we’re talking about the regulation of a corner newsstand here, after all. This is the Internet, and localized regulation of this national — actually global — platform makes me more than a bit nervous.

In closing, I want to again reiterate that I do not necessarily oppose intervention in any of these cases. However, to the extent such regulations do need to be imposed and enforced, it may make more sense for the process to be federalized and NCMEC’s role nationalized and administered by the Federal Bureau of Investigation or some branch of the Department of Justice. There needs to be greater transparency and accountability when matters of child pornography or predation are at issue, and NCMEC’s lack of FOIA-ability in this regard is problematic. I think NCMEC is a fine organization that does very important work to help protect children, but it is work that involves criminal activities and the collection of evidence that could be used in criminal court proceedings. In light of that — and in light of the expanded law enforcement powers being granted to NCMEC — I believe the time has come to have a serious conversation about whether those powers should continue to be housed in a private, non-profit organization, or if they should be transfered to a federal law enforcement agency. Of course, there could be serious downsides associated with the nationalization of those powers, which also should be considered.

Dennis McCauley of Gamepolitics.com takes on that issue today in a column:

In the United States, the FBI tracks annual statistics on police officer slayings as well as assaults on police officers. I compared these figures to the various release dates for the three major GTA console game releases to date (GTA III, GTA Vice City, GTA San Andreas) and plotted the whole thing on the chart below. It’s a bit like the well-known video games vis-a-vis juvenile crime graph created by Duke Ferris of GameRevolution a few years back, although with a much narrower focus.The FBI statistics portray a much different picture than that painted by critics like Thompson and Grossman. In the chart, I’ve plotted FBI figures for police officers feloniously killed (blue line) and police officers assaulted (red line, listed in thousands). As can be seen, police officer murders peaked at 70 in 1997 (i.e., four years before GTA III) and again in 2001. GTA III was released in late October that year, so if the game caused that year’s spike, it would have had only two months in which to do so. (also, the 2001 figures don’t count the 72 officers lost when the World Trade Centers collapsed). The chart shows that since GTA III was released police killings have been trending downward to a low of 48 in 2006. Although the FBI has not yet posted 2007 numbers, the National Law Enforcement Officers Memorial Fund lists 68 police officers as having been shot to death in 2007. But it’s worth pointing out that while there may have been a spike in police slayings last year, there was no corresponding GTA release. There hasn’t been a new Grand Theft Auto console title issued since San Andreas in October, 2004.

I’ve commented more on these issues in my essay on “Why hasn’t violent media turned us into a nation of killers?”